Back in late 2015/early 2016, these .js files were the bane of my existence. These often times came bundled as attachments in Fedex or UPS phishes. Thankfully, we started blocking .js attachments and these sort of just went away one day.
Here's the file so you can follow along:
Let's open this up really quick and see what we're working with.
Figure 1: That's a lot of adding and whatnot going on.
As always, this is pretty ugly looking, but at its core, it looks like it's really just a bunch of variables being added to each other. Near the bottom, you can see
l54(l96). This is a pretty dead giveaway of what is going on. Before we discuss what exactly is going on, let's make this look a little prettier.
Figure 2: Wow this screenshot is terrible, but just throw the code into JSBeautifier.
Okay, JSBeautifier makes it a little easier to see what is going on. The top portion of code declares a ton of variables. Then, the variables are all consolidated into
l54. Finally, at the bottom, we notice
l54(l96). This is going to be the
eval() call that runs the code after it's built out in
There are several ways we can attack this. One option would be to manually go through and add each variable together in
l96. While this is definitely doable, I don't recommend it because frankly, that's a stupid way to do it. The next thing we could do is throw it into JSDetox. JSDetox actually does great with code like this, and with the click of a button, this will do everything for us. Finally, we could use our BESTEST FRIEND FOREVER AND EVER AND EVER AND EV.... Google Chrome. Let's approach it first with Chrome, as it's better to know how to do it yourself and not rely on tools such as JSDetox (because JSDetox fails all the time!). Then, I'll show you the lazy man's approach with JSDetox.
Google Chrome Method
Just like last time, we're going to paste our code into the console and see what we're working with. Now, one important note: I can tell you ahead of time this is not going to work. Why? Because these little .js files ALWAYS used WScript. So what's the problem? Well, WScript will only run on Windows. When you put WScript in Google Chrome, it has no idea what to do with it.
Figure 3: Hey! None of that WScript garbage allowed in Chrome!
Uncaught ReferenceError: WScript is not defined. Yup, no WScript. No big deal though, we're not really interested in running the code, we just want to see what it does. Earlier we talked about
l54 being the
eval() function. Let's verify that quickly.
Figure 4: Look, the eval() function!
Just as predicted,
l54() is simply
eval(). Okay, so we could just this line:
l54(l96);, but it's not really necessary in this case. The information we want is already stored in
l96. All we need to do is print it out to the console.
Figure 5: Impossible to see, but here's the code inside l96! We did it!
Hey, there's our readable code! Let's make this look a little nicer and take a look at what it does.
Figure 6: All your bases are belong to us because we encrypted them. ;)
Well, there you go. Clean, readable code. Nemucod is a pretty simple little downloader and is easy to understand, so I encourage you to read through it and see what it does.
JSDetox, for all you lazy people!
Okay, so now that we understand how to do this manually, let's take the lazy approach. (I mean, lazy is always best I guess, right?) Fire up JSDetox on your REMnux box, paste the code in and hit "execute".
Figure 7: Once again, JSDetox says none of that WScript garbage. Click on "Show Code" and we'll get our deobfuscated code!
Now, just simply click on "Show Code" and Voila! Happy Birthday! It's always nice to get the answer in 5 seconds.
Figure 8: JSDetox is the winner this round! Answer in 5 seconds!
As I said, Nemucod is a pretty easy to understand dropper, so spend some time to figure out just how this thing works. You'll notice the encryption message in the code that I was joking about earlier. At the time I got this sample, Nemucod dropping ransomware. Pretty neat stuff!
As always, if you have any questions or comments, feel free to comment below. Now that we're getting fairly confident, let's tackle something a little more difficult in the third entry of this series!